My laptop suddenly started complaining I may have a virus (I have Sophos Antivirus installed, and I think it is pretty up to date)

Then I get loads of errors starting with pop up window (titled delayed write failed) saying "Failed to save all the components for the file \\System32\\0003101. The file is corrupted or unreadable. This may be caused by a PC hardware problem "

This windows keeps popping up with a different file name each time. I then got another popup window which I thought was the genuine Windows Error fixing program, and I stupidly clicked on the button to repair and fix my computer. I think this installed a program on the laptop as it listed a new program on the start menu.

However, after a while (and a re-boot or two) I have no programs on the start menu, and I cannot see any of the C drive. The cdrive is there,as I can see it from another machine on my LAN, but I cannot access all the files as it sayd "Access Denied" to a lot of them.

Ok, after looking around this great site, I think I have got the "System Check" virus. My symptoms match those of other who have experienced this.

So, I have downloaded the "unhide" utility, and ran this. I can now see all my desktop icons again and I can see my files correctly.

I have downloaded Malwarebytes anti malware, and installed this. I made sure Update and Launch were checked and clicked Finish.

A window has now popped up with a window title of vbAccelerator SGrid II Control and it say Run-time error '0'

I only have the option to click OK, which when I do I get another popup with the title "Malwarebytes Anti-Malware and in the window is says Run-time error '440': Automation error" Again I can only click OK.

I click OK and I get another pop up identical to the first. I click OK and I get the second pop up again. I click OK and I dont seem to get any more pop ups.

I'm now going to download and run aswMBR and I will post the log shortly.

This program will remove the +H, or hidden, attribute from all the files on your hard drives.

Note 1: This does not remove the malware- only the attribute causing the 'missing' problem.So it is important for you to continue.
Note 2: If you are infected with System Check it is important that you do not delete any files from your Temp folder or use any temp file cleaners
=======================================
Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
==================================My Guidelines: please read and follow:

Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.

Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.

If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.

File sharing programs should be uninstalled or disabled during the cleaning process..

Observe these:
[o] Don't follow directions given to someone else
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.

If I haven't replied back to you within 48 hours, you can send a PM with your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.Threads are closed after 5 days if there is no reply.

Sorry for getting impatient. I will follow your instructions to the letter from now on !

Firstly, I had already downloaded unhide.exe from your site and run it. It has removed the hidden attribute and I can now see all my files and desktop icons. As this only removes the attribute, and it has done so correctly I am assuming you do not need me to run it again?

Next I have previously installed Malwarebytes Anti-Malware and it appears on my list of programs. I have therefore selected to uninstall this (using the Uninstall option on the programs list) as per your instructions. However, the uninstall status window is showing no progress, and looks like it is frozen. It has been like this for about 10 minutes. There is little, if any, disk activity.

Should I just let it run or do I need to do anything else?

(For information, I also keep getting an alert displayed in a balloon from the system tray. It claims to be from Sophos (I have Sophos Antivirus installed and running on my system) and it reports "suspicious behaviour HIPS/RegMod-009 has been detected and moved to quarantine. No Action Taken. ")

See if you can back off the Malwarebytes uninstall.. See if it will update, then run the scan.
====================================
IF Mbam seems to be 'stuck' in the uninstall mode, shut it down and run the following:SuperAntiSpyware Home Edition Free Version

Make sure everything found has a checkmark next to it,then press 'Next'.

Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

Click on 'Preferences'.

Click on the 'Statistics/Logs' tab.

Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.

It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
========================================
You can then go ahead and run the following:Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]

Note: No query will be made if the Recovery Console is already on the system.

.Close/disable all anti virus and anti malware programs
(If you need help with this, please see HERE)

.Close any open browsers.

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer. Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
===================================
Please leave the logs in your next reply. When I review them I will determine what we do next.
==================================Regarding the Sophos 'balloon: HIPS/RegMod-009
Category: Suspicious Behavior and Files
Type: Suspicious behavior
Sophos advises as follows:

To reduce the chance of unwanted detections, Sophos HIPS should be set to 'Alert only' mode for the duration of any software installations.

You have 2 options if you've received an alert:
[o]Authorize the file if it's from a trusted source.
[o] Send for analysis if you do not trust the file or think it may be compromised.

Since we are aware that there is rogue malware on the system it is possible that the malware has generated this fake alert. Make sure Sophos is set in the 'Alert' only mode, then ignore the message for now. It is important that you do not click on the 'alerts' or 'warnings' as that can activate the malware to run again.
=======================================

I am trying to downoad Super Anti Spyware, but my PC is almost unuseable now. It is running incredbily slowly, and the System Check screen is on top of my desktop and connot be moved. (I cannot get focus.)
I have managed to click on the download link, but it is sitting there at 0%.

What is most worrying is that I have Teamviewer installed and I can see (partially behind the system check screen) a Teamviewer pop up window which is inviting me to choose a partner (i.e. one of my PC's on my LAN) to present this application with Teamviewer. The "Allow Partner to interact" check box is not checked.

I suspect someone is trying to use Teamviewer to get on to other PCs on my LAN.

Can I disconnect the internet and download any progams I need from a known clean PC and put them on a USB stick and run them on the infected PC like this?

Can I disconnect the internet and download any progams I need from a known clean PC and put them on a USB stick and run them on the infected PC like this?

Click to expand...

Yes, you can use a flash drive.

Have to tried to run Malwarebytes? I need something to see what we're working with. I can give you some 'cosmetic' help for the system, but it doesn't remove the malware itself and may not be successful with the malware still on the system.

Correct Display Changes if needed:If the desktop background is black or if the theme has been removed:

Click on Start> Control Panel> Appearance & Personalization

Select Change Theme or Change Desktop Background

=====================================Some items may not show on the Start menu. To add them back:

Thanks for this. I appreciate you have no logs from me yet but I will get them posted as soon as I can.

I rebooted with no network connection and the PC came up ok and allowed me to tidy up the desktop, and re-enable the stuff from the Start Bar.

I have copied Superantispyware on to the desktop and have intstalled it. I re-connected the LAN and ran the software. It downloaded an update successfully. The PC also launched a new IE browser, with a picture of a scantily clad young woman, who was claiming they wanted to chat with me.

The virus/malware/whatever it is is still there I guess.

Anyway, I have disconnected the network again and am running superantispyware which is going well. So far we have 86 threats detected, and once it is finished I'll post the logs so you know where we are.

Once I've posted the logs I will await your further instructions before running combofix.

Note: I have reviewed the Tracking Cookies in the SAS log. I am going to edit the post and delete them. Hopefully you check the line in SAS to remove the entries it found. If you did not, please run it again and do so.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:AdBlock PlusEasy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
=======================================
Please post the Combofix log when ready.

Open Eset Smart Installer
[o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
[o] Double click on the desktop icon to run.
[o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window

Continue with the directions.

Check 'Yes I accept terms of use.'

Click Start button

Accept any security warnings from your browser.

Uncheck 'Remove found threats'

Check 'Scan archives/

Leave remaining settings as is.

Press the Start button.

ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.

When the scan completes, press List of found threats

Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.

Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

NOTE: - I am not convinced the log for explorer.exe is valid. I did not have the option to rescan this file, the button was greyed out. I also tried it from a known clean coputer and I got the same result, so I don't think that test is valid.

There are some entries for the Symantec pcAnywhere: this is Remote Desktop & Remote Access Software.There are also entries for Citrix GoToAssist & LogMeIn. Unless you are actively using these processes now, they should be stopped/disabled.
-----------------------------------
There is a Scheduled Tasks set in 2007 ad/or 2008 for the Calculator:
2008-08-12 c:\windows\Tasks\Calculator.job
- c:\windows\system32\calc.exe [2007-06-12 12:00]
What kind of Tasks do you have a calculator doing?
Advise delete task as follows:Opening scheduled tasks to modify or delete them:
Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.

To delete the task: right-click the Task> click Delete.
(c:\windows\system32\calc.exe)
==================================
Did you miss my direction in the Eset scan to [*] Uncheck 'Remove found threats'

Run the following please: It will give me more information. There are 4 new malware entries. Those from System Volume are Restore Points. They are no longer active in the system and will be removed when we are finished. You are instructed no to do a System Restore while cleaning, so they shouldn't be a problem.

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.

Click the red Moveit! button.

A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.

Close OTMoveIt3
=========================================
The two entries I asked about were malware, as I suspected. So we need to find how they are getting in:
Download Security Check by screen317 and save to the desktop

Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.

A Notepad document should open automatically called checkup.txt please

Post the contents of that document.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
--------------------------
You also need to find and remove these from Startup:
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\kafiy.exe
C:\Documents and Settings\SCDCICTA\Start Menu\Programs\Startup\wuqo.exe
Use the msconfig utility to access the Startup Menu. Expand the Command section if needed by holding the lfet mouse button down on the line in th frame above between process and Command and move to the right to expand.
=======================================Please run this Custom CFScript:

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

Sorry, I did miss your instructions in the Eset scan to [*] Uncheck 'Remove found threats'

Apologies - my bad.

Anyway, I tried to run OTM but it wouldn't run on my laptop. I tried downloading direct from the web site to the laptop desktop, and also I downloaded it to a clean pc and copied it over using a usb stick.

When I try to run it I get a window saying OTM has encountered a problem and needs to close. We are sorry for the inconvenience. I can then either click to send microsoft an error report or click dont send. I chose dont send.

I then tried dragging the txt file to combofix, and that wouldn't run either.

I get a window come up with a title bar NSIS Error. In the box it says "Installer integrity check has failed. Common causes include incomplete download and damaged media. Contact the installers author to obtain a new copy."

I have downloaded a new combofix.exe to my clean PC and it runs fine. I copied this over to the infected laptop using a USB stick and I get the same error.

There are some entries for the Symantec pcAnywhere: this is Remote Desktop & Remote Access Software.There are also entries for Citrix GoToAssist & LogMeIn. Unless you are actively using these processes now, they should be stopped/disabled.

Click to expand...

Are you working on your computer or are you doing remote help on someone else's system? You also run LaunchAnywhere. There is very little security on the system and several outdated programs that are vulnerabilities.

As far as I can tell by your description, the installer error began after you ran Malwarebytes, then got stuck trying to uninstall it. I don't have much to go on missing the logs. You aren't able to remove the malware entries we find. You mention an infected laptop and using a flash drive.

Please see if you can run this very basic program, HijackThis:First, set up a Directory for HijackThis as follows:
Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
-----------------------------------------Download HijackThis and save to your desktop.

Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'

Extract it to the directory on your hard drive you created C:\HijackThis.

Then navigate to that directory and double-click on the hijackthis.exe file.

When started click on the Scan button and then the Save Log button to create a log of your information.

The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad

Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
====================================
When you finish with the above, I'd like you to use the Windows Installer Cleanup Utility to remove all entries related to the following:
OTM
Malwarebytes

Do not click on any error messages! Not even with just OK. Ignore them and try to continue.

Please connect long enough if you can and run the Eset scan again. Please remember to Uncheck the box for removal of the entries.

I am still concerned about the Backdoor.IRC bot and the possibility of a file infector.
------------------------------------------------
Let's check the system:
Please run the MGA Diagnostics tool

You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.

You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>

You must choose to Run this tool when prompted.

Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.

If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.

After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy

Please return to this thread and Paste the results here for review.

------------------------------------------
This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
2. Does it read "OEM Software" or "OEM Product" in black lettering?
3. Or, does it have the computer manufacturer's name in black lettering?
4. DO NOT post the Product Key.

NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.

It appears that you are on your work computer, operating under a volume license. You are running LANDesk® Management Suite software including the Targeted Multicast Client Service Executable. This file is not digitally signed. This also includes the Intel Ping Discovery Service (PDS). Part of Intel's LANDesk Management Suite 6 and the Common Base Agent (CBA) - used for communicating between the core server and managed clients.

There is IT Management software running, processes for remote connections. There is a keylogger on the system which most likely is from the company you are working for. A volume license is being used and no key numbers are given.

In the absence of some of the logs, I am not able to determine what the update status. I asked and repeated the following in my Replies 17 & 19: It was never addressed:

There are some entries for the Symantec pcAnywhere: this is Remote Desktop & Remote Access Software.There are also entries for Citrix GoToAssist & LogMeIn. Unless you are actively using these processes now, they should be stopped/disabled.

Click to expand...

Are you working on your computer or are you doing remote help on someone else's system? You also run LaunchAnywhere. There is very little security on the system and several outdated programs that are vulnerabilities.